Vulnerabilities of Industrial IoTs
The Internet of Things (IoT) has evolved the way society operates, with data and the connectivity of the world that can be readily accessed at the convenience of the user has changed the everyday life. Rapidly developing into the industrial sector, known as industrial internet of things (IIoT) or the industrial internet, has attracted many industries from power utilities to the oil and gas industry. The informal definition of IIoT’s is, “all various sets of hardware pieces that work together through internet of things connectivity to help enhance manufacturing and industrial processes.” Similar to IoT, IIoT’s take on a machine–to–machine (M2M) approach with processing and collecting large amounts of data, and the ability to satisfy just about anything the end user wants the capability to accomplish. Unfortunately, due to the majority of industries using and operating on outdated hardware and software solutions such as supervisory control and data acquisition (SCADA) systems causes a critical security concern. With the constant growth of cyberattacks ranging from denial of service (DoS) and ransomware attacks makes the entire industrial industry such as oil and gas companies vulnerable and a target to cyberattacks.
The petroleum industry which entails oil and gas markets, is the leading resource being produced in the world. This hundred-billion-dollar industry supplies consumers globally with one of the most demanded resources. Implementing IIoT solutions in this industry has catered to the need of overcoming challenges and making energy more efficient, safer and ultimately maximize overall operation production. There are only a handful of companies in the market that provide IIoT solutions. Schneider Electric, a global energy efficient provider, is one company that provides solutions to the petroleum market. Some of these include; oil field services, data centers, electrical distribution and management services, and smart O&G field management solutions through IIoT’s meshed all into a network called EcoStruxure. Implementation of platforms like EcoStruxure or even added platforms to older solutions like SCADA causes a vital cybersecurity concern. Putting availability and scalability at risk, developing security patches to new or old solutions is cumbersome. In addition, updates and patches could develop new vulnerabilities to the system and also cause the system and other functions to not perform adequately, fail or even worse be targeted to a cyberattack.
The petroleum industry is vulnerable and a target for cyberattacks. The petroleum industry is operated and owned majority by private companies so publicly knowing of an attack affecting any of these companies is unknown. If an attack was publicized the economy could be affected in many ways such as a spike in gas prices, oil and barrel stocks, or even share values will drop. In end result can negatively impact the global economy in day to day operations, costing not only the petroleum industry billions of dollars, but also cost the users the most in the end.
Moreover, building a more secure IIoT infrastructure is extremely challenging, given that IIoT implements inadequate cybersecurity standards due to the functionality and diversity in IIoT solutions. IIoT uses different message protocols, one of the most widely used protocol MQTT (Message Queuing Telemetry Transport). The MQTT messages in plain text, in other words without using virtual private networks (VPN), or over secure sockets layer (SSL) to encrypt the transmitted data, anyone could access this message either by packet sniffing or man in the middle attack. One way in securing MQTT is over SSL/TSL protocols between MQTT clients and the MQTT broker. In order to do that, a private key must be created, and using the private key can generate a certificate. Once a certificate is created with that key, the MQTT servers (Mosquito) can securely transmit encrypted traffic. Although, this is one of several ways to address the security concerns, however it’s an ongoing process to keep everything secured.
Furthermore, there are several things that need to be addressed and to be aware of when using IIoT’s. Lack of standardization and integration, with basic cybersecurity and no book per se on how to fully secure IIoT’s solutions will not be sufficient in defending next gen attacks. Industrial industries, such as the petroleum industry should adopt security practices and policies industry wide. Heavily investing in cybersecurity solutions and practices now will only better secure companies from criminals and hackers. Some solutions to implement and fill security gaps can entail, next gen IDS and IPS systems, implementations of secure protocols. Creating a security operations center (SOC), with cyber security engineers, pen testers, cyber operations analysts, and threat hunters. Although there is no fit all solution, security efforts no matter big or small will go along way.
The Counterterrorism Group (CTG) is currently monitoring any advisories or alerts disseminated by U.S. Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), U.S. Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). CTG is also monitoring any new and developing IIoTs standards and security practices issued by the National Institute of Standards and Technology (NIST). CTG is researching new IIoTs technologies and newly developed malware and vulnerabilities through the Common Vulnerabilities and Exposure (CVE) database.
1. Techopedia. Industrial Internet of Things (IIoT). Techopedia Inc. Accessed 2019. Retrieved From:
2. Schneider Electric. Oil Field Well Automation. Schneider Electric.co.in. 2019. Retrieved From: https://www.schneider-electric.co.in/en/work/solutions/for-business/oil-and-gas/onshore/well-automation.jsp
3. Azzola, F. MQTT Security: Securing a Mosquito Server. IoT Zone. 2017. Retrieved From: https://dzone.com/articles/mqtt-security-securing-a-mosquitto-server